ARCHIVE of formerly daily posts pertinent to the entrepreneurial economy.

Smells Like History

Earlier this week on the Proskauer Rose law firm's Privacy Law Blog, Chandi Abeygunawardana wrote about recent action the FTC has taken in connection with an advertising network engaged in "browser history sniffing."

History sniffing?

Abeygunawardana explains the practice and its uses this way:

"History sniffing involves running Javascript code on a Web page to determine whether a user’s browser displays links to specific domains as unvisited or visited. Using this information, [an advertising network] can determine whether the user has been to specific web pages or not in the past, and from that, glean their interests."

What did the ad network do with the results of its sniffing? According to the FTC complaint, the ad network, Epic, used the information for targeting in some pretty sensitive categories:

"Based upon its knowledge of which domains a consumer had visited, Epic assigned the consumer an interest segment. Epic’s interest segments included sensitive categories such as 'incontinence,' 'Arthritis,' 'Memory Improvement,' and 'Pregnancy-Fertility Getting Pregnant.' Epic used this history-sniffing data for behavioral targeting purposes."

But Epic wasn't sanctioned for the practice of history sniffing or effectively outing a person's private affairs. No, the FTC would appear to be okay with ad networks trolling your browser to see where else you've been lately. (Okay, or else lacking in substantive authority to regulate the practice.)

Instead, the ad network's offense in this case was in making false representations in its published privacy policy.

In other words, had the ad network simply 'fessed up and disclosed, in the written privacy policy, that it was engaged in history sniffing, there would have been no complaint and no proposed consent order.

This seems to be the theme of FTC complaints and consent decrees: no issues with nefarious behaviors, but instead a focus on whether a company's practice is at variance with the company's own written terms of service or privacy policies.

It's as if the FTC thinks people read terms of service and privacy policies!